A storage system may assign a different encryption key to each logical storage unit (LSU) of a storage system. For each LSU, the encryption key of the LSU may be shared only with host systems authorized to access data of the LSU. In response to a read request for a data portion received from a host application executing on the host system, encryption metadata for the data portion may be accessed. If it is determined from the encryption metadata that the data portion is encrypted, the data encryption metadata for the data portion may be further analyzed to determine the encryption key for the data portion. The data may be retrieved from the storage system, for example, by performance of a direct read operation. The retrieved data may be decrypted, and the decrypted data may be returned to the requesting application.